I’m not normally one to rant incessantly about the wide selection of outrageous things I find on the Interwebs these days. Today, I’ll make an exception, and rather than sugar-coat it, I’m just going to come right out and say it. The Internet is to stupid ideas what an incubated petri dish is to virulent bacteria:

I’m talking about the movement that just won’t stop. Nope, not dysentery (that comes close), but the UFO-proctowtfologists. Under ordinary circumstances, these fruitcakes wouldn’t bother me, but when I noticed that they started coming out en masse following a Slashdot article on Thursday’s meteor show I was pretty annoyed. Don’t believe me? See for yourself.

Yeah, that’s right. A bright, flashy light in the sky that left a vapor trail, reportedly resulted in a few sonic booms, and just freaking looked awesome couldn’t possibly be natural. I mean, it’s pretty obvious that there’s nothing in nature that comes close to being a spectacular light in the sky. Ergo, anything streaking across the wild blue yonder is obviously not a giant rock burning in the hellacious temperatures of reentry.

What really irked me was that another poster made a similar point to the one I raised above and was promptly attacked by rabid lunatics. Indeed, the passionate response he received was that of someone who, attempting to say something grossly insightful, turned out to look like an obese man in a speedo riding a unicycle around Times Square. That is to say he looked pretty damn ridiculous. The individual in question was a particular poster named “Fantabulous Lad” (not his real name) and stated:

[I’m] just pointing out that this exists, with the one simple proviso that it is not being placed conveniently in your lap for review with the shining stamp of social approval. Do you always let other people’s fear levels determine what is “real” for you? If so, then that’s actually quite normal. I just find it limiting, and prefer to think for myself since most people are frightened, delicate creatures all too ready to behave in a manner rationally counter to the demands of reality in order to stay in the good books with the herd.

(Emphasis mine, because that statement was stupider than the others.)

No. Just no. I’m not even going to bother saying anything about this (I already posted on Slashdot anyway). However, I think FDR put it best, and I quote:

It entertains me that the proof offered by our poster in this particular case was a book written by none other than Richard M. Dolan, a man credited for his whacked-out television personality. He’s also a whacked-out author who seems to believe that the government is a massive conspiracy. (Maybe he’s right but not in the way he thinks.) I think it’s great to cite a source that uses shaky evidence, anecdotes, and divining rods to find UFOs. Okay, so I made that last bit up. I think.

While Ridiculous Lad may have had a monopoly on appealing his burden of proof to whacked out whackjob whackos, there was one other post that drove me absolutely insane. This guy is really vying for first place in the annual Idiot Land Raceway races with his claims that a certain video posted on Youtube (another factually accurate site) “may be ‘sun pillars’ a [sic] phenomenon that appears right before a major seismic event.” Never mind that sun pillars are caused by certain light sources (like the sun) and are a classification of things we see known as optical phenomenon. It has nothing to do with earthquakes. Don’t bother watching the videos, either. One of them showed the devastation of an earthquake and people talking about it, and that somehow implies HAARP is to blame. Maybe it’s responsible for poor news coverage.

Just remember this the next time the sky looks funny:

What’s more, the videos Mr. unityeleventyone linked to all sorts of things like sun dogs, rainbows, pillars of smoke (from a fire), and the likes as “evidence” that the sky changes color immediately before an earthquake and everyone gets their medicine shaken whether they politely asked for it or not. I wonder what the heck happens to these people during a sunset when the sky changes color?

I have little faith in certain aspects of humanity. Especially with this Interwebs business. Never before have we had the capacity to freely share stupid ideas at the speed of light.

Stay tuned for next week’s installment of The Internet is Stupid Part Two where I discuss a little bit about UFO history, conspiracies, and what you can do to piss off your own species of nutjob.

I read about Symfony some time back when I was working on a project in CakePHP. Symfony struck my interests primarily because it uses Doctrine (by default) as its ORM, and I’ve used Doctrine in a couple of other projects. This weekend, I elected to give Symfony a try. After reading through the documentation–which I’ll usually do for a few hours before taking the final plunge–I was satisfied that Symfony would be a great framework to learn next.

Following the initial guide was easy until I attempted to view the example application. Then I encountered this:

Fatal error: SUHOSIN – Use of preg_replace() with /e modifier is forbidden by configuration in /home/bshelton/phpapps/sf-test/lib/symfony/lib/response/sfWebResponse.class.php(409) : regexp code on line 409

Uh oh! This struck me as odd, considering Symfony prides itself on being a secure-by-default framework and it triggers a Suhosin warning from the stock install? Great. But don’t be too alarmed as the offending code isn’t a security hole (newlines were inserted by me to increase readability on the web):

The Fix

While the /e modifier does have the potential to execute PHP code, the offending line merely takes the first character immediately following a “-“ and uppercases it (the strtoupper call is the only eval’d code). However, rather than disable parts of Suhosin–which could be bad if third party code is included that also does something similar and requires auditing–I decided to fix the issue. According to the Suhosin docs, the fix is fairly simple. Simply change line 409 in symfony/lib/response/sfWebResponse.class.php to:

In this case, rather than evaluating PHP code as part of the replacement, a callback function is created that performs the same approximate test. Obviously, the solution for PHP 5.2 and below could be equally as dangerous, but if we’re careful, we can create a function exactly as we intended.

Performance Concerns

After I discovered this solution by browsing the PHP documentation, it occurred to me that callbacks in preg_replace_callback are slightly slower than performing a call to preg_replace without callbacks. I couldn’t recall precisely how slow, so I elected to perform a benchmark using several different ideas at tackling this particular problem. This section highlights these benchmarks along with each potential solution. Ironically, using preg_replace_callback is about 30% slower than performing character-by-character replacement.

The Methodology

The methodology I used to test various solutions consisted of the following steps:

Generate a large data set to aid in characterizing performance differences and elevate measurable performance discrepancies above the noise floor

Write each solution such that it consumes the data generated in step 1

Compare the performance of each method against the stock Symfony solution

Since the stock Symfony code is designed to “normalize” (their words) headers generated and sent to the client, the source data is created by a script that picks a random number of characters (all lowercase) and joins them together using a dash (-) or an underscore (_) in order to emulate strings like “content-type” or “content_type.” The same data set is used for all subsequent tests. No more than one dash or underscore is used per string; although this is unlikely cause for much concern as most headers are unlikely to have more than one or two separators.

You can download the script that generates this data, along with the source data itself, in the archive toward the bottom of this post.

Note: These solutions were tested on PHP 5.2 only. You’ll likely discover differences when testing on other PHP versions.

The Results

Before we examine each solution, let’s take a look at the results:

As you can tell from this chart, the Suhosin-recommended solution of using preg_replace_callback is the slowest. The stock Symfony code performs rather well but it still slower than simplified string replacement calls. We’ll examine each solution in the following section.

The Code

The code for each solution is provided below along with a brief description of what it does. The actual benchmarks (and benchmark data) is also provided. Remember that each of these solutions is modified to use our source data.

The stock Symfony solution to the normalization problem is to first convert the string to lowercase, capitalize the first character, and translate all underscores (_) into dashes (-). preg_replace is then run and evaluates the replacement, which converts the first character immediately following a dash to its uppercase equivalent.

As hinted by the Suhosin documentation, preg_replace_callback is recommended over evaluating PCRE replacements. Unfortunately, this solution is also the slowest. In structure, it is most similar to the stock Symfony code but replaces the evaluated code with an anonymous function. I have not tested true anonymous as presented in PHP 5.3, however. Given that create_function likely has to create an additional interpreter instance in PHP 5.2, this solution might be slightly faster in later versions of PHP when using this code:

This solution was among the fastest but its performance remains within the margin of error and may therefore be tied with Solution 4. As with solutions 1 and 2, this solution translates all characters to lowercase and replaces all underscores (_) with dashes (-). However, unlike the previous solution, this one splits each header along the dash boundary, loops through the remaining items, converts them in-place using ucfirst, and then joins them together again with a dash.

This solution is not optimal, and I expected it to be among the slowest. I was surprised to discover that this solution performed faster than the others, and I initially assumed the overhead of preg_replace was due in no small part to the requirement of loading the PCRE engine. It is also likely that increasing the number of split points in the header (by way of more dashes) will likewise increase the amount of time this solution requires to run.

My presumed explanations for the performance of this code segment were challenged with the next test.

I confess that the file name for this test is slightly misleading, and I’ll correct it in the posted archive. The initial intention was to utilize two preg_replace statements, but I elected (at the last minute, no less), to use only one in conjunction with an str_replace. In this solution, a dash (-) followed by any single character is captured, capitalized, and then replaced into the final product. As with Solution 3, this is among the fastest of the 5 tested. This solution may also scale slightly better than Solution 3 for headers containing more than a single dash.

Note that the performance of this solution hints that the slightly slower behavior of solutions 1 and 2 are likely due to code evaluation rather than the overhead of loading PCRE.

I initially assumed this would be the slowest performing benchmark of the 5. I was surprised to discover that it is the second slowest. Indeed, this solution performed approximately as well compared to preg_replace_callback as the stock Symfony code did in contrast with this solution.

Conclusion

The Symfony stock code is quite fast but still appears to create instances (at least in sfWebResponse.class.php) where partial evaluation of PHP code is necessary. eval‘d code isn’t necessarily evil, and while it most certainly is a vector for exploitation, it is the manner in which code is evaluated that makes it dangerous. Regardless, I think it is appropriate to evaluate (I made a pun!) circumstances in which code itself is eval‘d and question whether such calls are necessary. While these benchmarks are admittedly highly artificial, it is fairly obvious that in some situations, less code does not necessarily translate to better performance. More importantly, highly compressed code can be difficult for new maintainers to understand and therefore become more error prone or more likely to encounter breakage than simpler but more verbose statements.

The benchmarks listed in this article may be downloaded here, along with the spreadsheet used to chart the data points (apologies that it is in .xlsx format; I’ve been testing the Office 2010 beta–I’ll post a version with an .ods later!). Please recall that this benchmark isn’t scientific. The tests I conducted are highly artificial and are presented for only an exceedingly small subset of data variation. It is likely that other methods are faster, more efficient, and more appropriate for the given solution. Indeed, the entire purpose for this exercise was two-fold: 1) To avoid having to make any configurational changes to Suhosin and 2) surprise myself with how many unique solutions I could create for a single problem. I think I succeeded on both counts.

If you post commentary, please keep in mind that this was conducted for my own purposes and curiosity only. It is neither intended to be malicious to the Symfony project nor issued as a correction to their sources (though a patch that eliminates the use of /e in preg_replace would be nice!). I’ve been highly impressed by the Symfony sources. Unlike most PHP code, they’re clean, concise, easy to understand, and well-documented. It’s a breath of fresh air compared to a vast majority of PHP-based projects. My thanks to the Symfony project in general and Fabien Potencier in particular. Please feel free to post corrections to my methods but be polite about it!

Updates: March 2nd, 2010

I’m growing increasingly less impressed with Symfony and its internal design. It appears the developers have a strong affinity for preg_replace‘s /e modifier. Yes, I understand, you audit your code and it’s secure. But do you know what the most significant problem is with suggesting users disable Suhosin’s suhosin.executor.disable_emodifier flag is? Users are likely to do it globally–rather than in an .htaccess file somewhere–and as a consequence, they’ll likely open their systems up for (admittedly unlikely but possible) far worse things. I haven’t tried Symfony 2.0 yet, but I hope they’ve resolved this. It’s stupid. And it pisses me off.

Anyway, if you’re looking for some quick fixes and are going through the Symfony tutorial and do not want to disable any part of Suhosin, here’s what you’re going to need to do.

Naturally, you’re probably better off listening to the advice of the developers directly, but this is my solution. Your mileage may vary.

Note to the developers: If you stumble upon this post in the near future (obviously this doesn’t apply to versions of Symfony beyond 1.4), feel free to add your commentary. Be mindful that some of us actually want to leave suhosin.executor.disable_emodifier set to on, including for your product. I will admit that the lines of code you’ve written look reasonably safe and do not appear to be accepting tainted input, but I’m not going to risk that. I’ve been running several versions of phpBB–and we all know the sorts of holes that software has–along with WordPress and a few other PHP-based web apps without ever having encountered this issue before. Seriously, it makes me kind of worried about the rest of your code! Let’s take a look at the comments in the Suhosin INI file:

; The /e modifier inside preg_replace() allows code execution. Often it is the
; cause for remote code execution exploits. It is wise to deactivate this
; feature and test where in the application it is used. The developer using the
; /e modifier should be made aware that he should use preg_replace_callback()
; instead.

‘Nuff said.

Here’s a good source on preg_replace, why you should always use single quotes, common mistakes, and why you should really just avoid using /e in the first place.

A friend of mine was asking how to append a string to files contained in a directory structure of unknown depth. I dug around a little bit and found this gem.

Eric has been having several difficult issues building KDE 4-point-something on Funtoo (a Gentoo fork) and it occurred to him that it might be possible to add a specific use flag to every IUSE contained within the build. Unfortunately, due to the nature of the package directory structure, it would prove tiresome attempting to append the same string to each file. Besides, that’s what scripting is all about, isn’t it?